Re: IOE causes failure in com.sun.deploy.security.RevocationChecker.checkOCSP from 7u25 and up

Mon, 05 Aug 2013 13:14:33 -0700 

Hi,
I will need some more information in order to debug this, preferably the certificate chain - is that something you can email to me? 


Otherwise, you can enable the certpath debugging you mention below in 
the Java Contol Panel. Go to the Java tab, and add it to the Runtime 
Parameters of the JRE that you are using. Then email me the log file if 
possible.


-Djava.security.debug=certpath

Thanks,
Sean

On 08/05/2013 11:33 AM, Matthew Hall wrote:

We have a customer that is seeing the following exception in JDK7u25 after
revocation checking was enabled by default:

java.security.cert.CertificateException:
java.security.cert.CertPathValidatorException: java.io.IOException:
DerInputStream.getLength(): lengthTag=127, too big.
     at com.sun.deploy.security.RevocationChecker.checkOCSP(Unknown Source)
     at com.sun.deploy.security.RevocationChecker.check(Unknown Source)
     at com.sun.deploy.security.TrustDecider.checkRevocationStatus(Unknown 
Source)
     at com.sun.deploy.security.TrustDecider.getValidationState(Unknown Source)
     at com.sun.deploy.security.TrustDecider.validateChain(Unknown Source)
Caused by: java.security.cert.CertPathValidatorException: java.io.IOException:
DerInputStream.getLength(): lengthTag=127, too big.
     at sun.security.provider.certpath.OCSP.check(Unknown Source)
     at sun.security.provider.certpath.OCSP.check(Unknown Source)
     at sun.security.provider.certpath.OCSP.check(Unknown Source)
     ... 35 more
Caused by: java.io.IOException: DerInputStream.getLength(): lengthTag=127, too 
big.
     at sun.security.util.DerInputStream.getLength(Unknown Source)
     at sun.security.util.DerValue.init(Unknown Source)
     at sun.security.util.DerValue.<init>(Unknown Source)
     at sun.security.provider.certpath.OCSPResponse.<init>(Unknown Source)
     ... 38 more

However this com.sun.deploy.* code doesn't seem to be part of OpenJDK or
IcedTea, so it's not possible for the community to recompile it with symbols,
debug it, and find the cause.

I did notice, in the code for sun.security.provider.certpath.OCSP.check which
is available, I could see a way to get some logs from part of this code:

private static final Debug debug = Debug.getInstance("certpath");

But I haven't had a chance to try that at the customer who found the issue.

I suspect that the code reacts poorly if it sees unexpected characters in
blocked OCSP sockets, but I can't tell without being able to read checkOCSP to
see what it's really doing in there. Can anyone take a look?

Thanks,
Matthew.

























					Reply via email to